A Metaphor for Conveying Risk
I’ve been on a crusade against using Heat Maps to convey risk to business leaders for just under a decade now. When I saw Fernando Hernandez post this graphic on LinkedIn in April, I got a good chuckle out of it (See Source below). It seemed to me to capture the main point about two common risk-forecasting tools: Heat Maps and Monte Carlo Simulations.
I love the contrast between the primitive and the advanced. Heat Maps are essentially bespoke spreadsheets (primitive) while Monte Carlo Simulations are advanced mathematical models of uncertainty. Thus, his proportional analogy between a Stethoscope and an MRI Machine seems valid:
Stethoscopes are to Heat Maps as MRI Machines are to Monte Carlo Simulations.
But hold the phone. After thinking about the analogy for a bit, I realized it wasn’t quite right. I love what Fernando was trying to do, but the metaphor is broken in a couple of places.
First, the mapping between the medical equipment doesn’t line up with the associated visualization tool. The stethoscope, when you think about it, only provides one kind of data point: heart rate. The infosec profession uses the heat map to visualize many kinds of data points, usually some kind of summary of all the risks in the organization’s risk register. It doesn’t make sense to use a heat map to convey heart rates. You would use a line graph or something similar instead.
Second, Fernando maps an MRI machine to a Monte Carlo Simulation. But a Monte Carlo Simulation isn’t a visualization tool like the heat map. It’s another measuring tool; a mathematical technique that uses repeated random sampling to model and predict the probability of different uncertain outcomes. Fernando’s proportional analogy breaks the metaphor.
To fix the metaphor then, we need a couple of things:
On the left side of the proportional analogy, we need a better primitive measuring tool then the stethoscope to associate with the heat map; something that collects multiple data points.
On the right side of the proportional analogy, we need an appropriate visualization method that we can can associate with the MRI machine.
For #1, the measuring tool that immediately jumped to my mind is the medical triage process. Doctors and nurses use medical triage to prioritize patients based on the severity of their condition, especially when medical resources are limited or overwhelmed. It’s a primitate first cut at evaluating the current situation. When deciding which patient to look at next, maybe pick the one with the sucking chest wound and not the one with a finger blister. I’m not a doctor, so what do I know, but that seems logical to me. In the cybersecurity sense, the doctor is the CISO or some equivalent. Triaging cybersecurity risks is similar: maybe install the patch designed for the software with active exploitation in the wild before you fix that one legacy system that isn’t internet-facing.
For #2, the visualization tool that obviously comes to my mind is the loss exceedance curve. Risk forecasters use loss exceedance curves (LECs) to graphically show the probability that a specified level of financial loss will be exceeded within a given period. In the cybersecurity sense, security leaders can forecast the probability of various dollar losses to their organization due to a cyber event. If they know the dollar amount that the company leadership thinks is material, they can absolutely calculate the probability of material loss to their organization. I cover risk forecasting, loss exceedance curves, and why reducing the probability of a material cyber event is the absolute first principle for every infosec program in my book (Chapter 6).
With all that said, here is my reimagined metaphor for conveying cyber risk.
Medical Triage Practices are to Heat Maps as MRI Machines are to Loss Exceedance Curves.
With it, I’m trying to convey the same idea that Fernando conveyed with his metaphor; the contrast between the primitive and the advanced. But I’m also trying fix the analogy by
Replacing the stethoscope with medical triage practices as the measuring tool on the primitive side.
Swapping the Monte Carlo Simulation with the Loss Exceedance Curve as the visualization method on the sophisticated side.
What do you think? Did I get it right?
Source
Fernando Hernandez, 2025. Risk Heat Maps vs Monte Carlo Simulations [Social Media Post]. LinkedIn. URL https://www.linkedin.com/posts/fernando-hernandez-izirisk_no-more-words-required-comments-activity-7318016061751103488-j43l/
References
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
I like the improvement, but I was hoping your updated metaphor would still stick it to heat maps :P
I've been using the following metaphor the last few weeks: Heatmaps are yesterday's weather report, monte carlo simulations are the forecast for the rest of this week.